possible bug in Merlin

Tue, 26 Jul 2005 08:12:56 -0700 


Hi,
I'm having some problems trying to validate signatures by using the issuer certificate. The issue appears to be with how certificates are resolved based on their DN. The following errors show up after turning debugging on: 


[26/Jul/2005:10:41:30] No alias found for subject from issuer with 
[EMAIL PROTECTED], CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS,

L=College Park, ST=Maryland, C=US (serial 1048578)

[26/Jul/2005:10:41:30] No aliases found in keystore for issuer 
[EMAIL PROTECTED], CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS, L=Co
llege Park, ST=Maryland, C=US of certificate for 
[EMAIL PROTECTED], CN=Pawn Client, OU=PAWN Client, 
O=UMIACS, ST=Maryland, C=US





When a cert comes in over the wire in WSDoAllReceiver.verifyTrust calls 
cert.getIssuerDN().getName() which returns a DN in the form of:



 [EMAIL PROTECTED], CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS, L=College Park, ST=Maryland, C=US



however when it tries to retrieve the corresponding certificate in 
Merlin.getAliasesForDN by looping it calls getSubjectDN().getName() 
while building a vector to compare. This however will return



 C=US,ST=Maryland,L=College Park,O=UMIACS,OU=ADAPT CA,CN=Adapt Project 
CA,[EMAIL PROTECTED]



Calling getSubjectX500Principal().toString produces a compatable DN, and 
allows verification to work.



[EMAIL PROTECTED], CN=Adapt Project CA, OU=ADAPT CA, 
O=UMIACS, L=College Park, ST=Maryland, C=US



It looks like the problem is with how different providers handle the 
EMAILADDRESS string. In the javadoc for X509Certificate it's recommended 
to use getSubjectX500Principal and getIssuerX500Principal rather than 
the provider specifiv getSubjectDN and getIssuerDN.


Index: src/org/apache/ws/security/components/crypto/Merlin.java
===================================================================

RCS file: 
/home/cvspublic/ws-wss4j/src/org/apache/ws/security/components/crypto/Merlin.java,v

retrieving revision 1.24
diff -r1.24 Merlin.java
665c665,666

<                     Vector foundRDN = splitAndTrim(((X509Certificate) 
cert).getSubjectDN().getName());

---

>                     //Vector foundRDN = 
splitAndTrim(((X509Certificate) cert).getSubjectDN().getName());
>                     Vector foundRDN = splitAndTrim(((X509Certificate) 
cert).getSubjectX500Principal().toString());





-Mike














    











					Reply via email to